- Pivotal Elastic Runtime 1.9+
- Pivotal Cloud Foundry
Elastic Runtime UAA service holds a certificate which signs outbound communication to external SAML Identity Provider. This certificate has a 2 year expiration period and requires regeneration after this time.
This certificate is used to sign SAML authentication request sent to Identity Provider - it is sent for extra security and impact of rotated certificate will depend on validation of IdP
SAML Service Provider Credentials should only have an impact if the answer is all 'yes' to these questions:
- Are you using SSO in production for apps?
- If yes, are you using SAML Identity Providers for SSO service plans?
- If yes, did you have Ops Manager generate a certificate for you? (this is done by using the Generate RSA Certificate button in Ops Manager)
- If yes, are you validating the signature of SAML authentication request on the Identity provider side?
Validate expiration time of certificate:
For Elastic Runtime >= 1.11.x, navigate to:
Elastic Runtime > UAA > SAML Service Provider Credentials
For Elastic Runtime <= 1.10.x, navigate to:
Elastic Runtime > Authentication & SSO > Service Provider Credentials
Copy the contents of certificate into a temporary file. (for example test.pem)
Execute the following command to validate the expiration time on the certificate.
# openssl x509 -enddate -noout -in test.pem
notAfter=Dec 7 21:01:04 2017 GMT
Alternatively, you can follow steps to check by OpsManager API in article: https://discuss.pivotal.io/hc/en-us/articles/115015525088-PCF-Advisory-Internal-certificates-expire-2-years-after-installation
$ curl "https://OPS-MAN-FQDN/api/v0/deployed/certificates?expires_within=6m" \
-H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"
Find the certificate with property uaa.service_provider_key_credentials and validate expiration:
Rotating SAML Service Provider Credential certificate
If the certificate is nearing expiration then it needs to be regenerated.
This will only be disruptive if Elastic Runtime is configured to use SSO / SAML and IdP is validating the requests, in which case new certificate will need to imported to the IDP.
Perform the following steps:
- Arrange for IdP admin to be available before certificate expiration occurs.
- Disable cert validation on IdP end.
- Generate new certificate on production by clicking `generate` option under SAML Service Provider Credential:
- Import the new certification to your IdP:
https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcfThese step will vary depending on which SAML provider that you are using:
If using ADFS, see: https://docs.pivotal.io/p-identity/1-3/adfs/config-adfs.html
If using CA SSO, see: https://docs.pivotal.io/p-identity/1-3/ca-sso/config-ca-sso.html
If using OKTA, see: https://docs.pivotal.io/p-identity/1-3/okta/config-okta.html
If using PingFederate, see: https://docs.pivotal.io/p-identity/1-3/pingfederate/config-pingfederate.html
- Re-enable certification validation on IdP.
- Validate system functionality
Guide on importing certificates to SSO provider: https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcf
Reference on using OpsManager API https://docs.pivotal.io/pivotalcf/1-10/customizing/ops-man-api.html
Reference guide on rotating and regenerating certs in PCF https://docs.pivotal.io/pivotalcf/1-12/security/pcf-infrastructure/api-cert-rotation.html